Kit Sunde's questions

As far as I can device, it should be entirely possible to TCP forward SSL traffic, but it's failing for unknown reasons. My nginx config:

load_module /usr/lib/nginx/modules/ngx_stream_module.so;

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;
}

stream {
  server {
    listen 80;
    proxy_pass mediapop.co:80;
  }
  server {
    listen 443;
    proxy_pass mediapop.co:443;
    ssl_preread on;
  }
}

Then on the same server I run:

$ curl -v -H "Host: mediapop.co" https://localhost
* Rebuilt URL to: https://localhost/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed

I can curl https://mediapop.co directly. Meanwhile the port 80 forward works fine. I'm on the latest nginx 1.14.0.

Is there a nicer way of doing zcat in ansible than invoking shell?

- name: "Unpack the local config"
  shell: "zcat /proc/config.gz > /usr/src/linux/.config"
  args:
    creates: "/usr/src/linux/.config"

I've setup a Simple AD on AWS that I can finally authenticate against with LDAP. I don't understand why I was unable to use dc= which is widely suggested everywhere but am able to use @domain.

ldap_bind($ldapconn, "cn=Administrator,dc=ldap,dc=patontheback,dc=org", "<password>");
ldap_bind($ldapconn, "[email protected]", "<password>");

Are these not supposed to be equivalent? Will @domain always work or it specific to Simple AD?

I'm getting a ton of failed a ton of failed access:

185.103.252.174 - - [28/Apr/2016:15:09:16 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
173.246.56.51 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:18 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

My /etc/fail2ban/filter.d/wordpress-auth.conf:

[Definition]
failregex = <HOST>.*POST.*xmlrpc\.php.* 499

In my /etc/fail2ban/jail.conf:

[wordpress]
enabled  = true
port     = http,https
filter   = wordpress-auth
logpath  = /var/log/nginx/access.log
maxretry = 3
bantime  = 86400

I've restarted fail2ban, but I'm not seeing any [wordpress] in my /var/log/fail2ban.log. What am I doing wrong?

I'm using an synced folder on vagrant 1.8.1 and I want it to chown the files, but it doesn't seem to take effect. This is my synced folder:

config.vm.synced_folder(
  '../..',
  '/home/deploy/sosd/local/',
  owner: 'deploy',
  group: 'deploy',
  type: "rsync",
  rsync__chown: true,
  rsync__exclude: [
    '.git',
    '.idea',
    'src/frontend/dist',
    'src/frontend/tmp',
    'src/frontend/node_modules',
    'src/frontend/bower_components'
  ]
)

I still end up with:

drwxr-xr-x 7 vagrant vagrant 4096 Apr 21 07:39 ansible
-rw-r--r-- 1 vagrant vagrant 1198 Apr 18 10:31 circle.yml
-rw-r--r-- 1 vagrant vagrant 1202 Apr 21 05:37 README.md
-rw-r--r-- 1 vagrant vagrant  146 Apr 17 10:52 requirements.txt
drwxr-xr-x 4 vagrant vagrant 4096 Apr 14 23:15 src

Why is that?

I tried

vagrant snapshot push
vagrant destroy
vagrant snapshot pop

But of course the VM is gone so that won't work. The problem is that if I want to debug provisioning from scratch then I don't want to nuke my whole dev setup each time. As a workaround I can redefine my Vagrant file into a multi-machine setup probably and make abuse that to get new boxes.

Is there vagrant cli way of saving and restoring my setup?

I have some code checking for the existence of something. If it has 2 lines it means the post exists. Can I register the variable from the check into a boolean immediately in the first task, rather than needing to cast it in the second? My current solution:

- name: Check if home page has been created
  sudo_user: www-data
  shell: wp post list --post_type=page --post_title=Home --post_status=publish
    chdir={{wordpress_path}}
  register: is_homepage_created

- name: Booleanize homepage check
  set_fact:
    is_homepage_created={{is_homepage_created.stdout_lines|length >= 2}}

When I auth with a non-sudo user I want to override playbook sudo.

---
name: test
hosts: foo
sudo: yes

If I do:

ansible-playbook test.yml -e "sudo=no"

It doesn't get properly override, instead I have to remove sudo: yes from my playbook. Shouldn't sudo=no work?

It's painfully slow to run freshclam, but clamav-daemon won't start without it:

$ sudo service clamav-daemon start
* Clamav signatures not found in /var/lib/clamav
* Please retrieve them using freshclam
* Then run '/etc/init.d/clamav-daemon start'

Can I get clamav-daemon to ignore it so each server don't have to run a 10-30 minute update on first deploy?

I specifically cannot add åäö to php-cli on the ubuntu server. I can write it in the terminal outside of the php-cli, I can create a file test.php and manually write:

<?php
echo "åäö";

And execute it with php -f test.php giving me the expected output. Looking at phpinfp(); I have:

default_charset => UTF-8 => UTF-8

mbstring.internal_encoding => UTF-8 => UTF-8

LANG => en_US.UTF-8

I don't understand what's preventing me from passing charaters to PHP. What could be wrong?

Is it possible to permanently add c:/project/bin to PATH i windows using only batch?

I'm trying to apply some iptables rules and iptables -F is supposed to remove the current rules (from my understanding), but instead it appears to freeze my SSH connection and not let me re-establish until I power toggle.

I go through these steps:

1. Apply iptables rules:

# Delete all existing rules
iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# MultiPorts (Allow incoming SSH, HTTP and phpMyAdmin)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,2222 -m state --state ESTABLISHED -j ACCEPT

# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# derp
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED -j ACCEPT

# Outgoing Sendmail
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# DNS server
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

# Allow DNS zone transfer
iptables -A INPUT -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

2. Try to reset with iptables -F

3. Get locked out

What am I doing wrong?

I'd like to move a an ssh key into vagrant and put them in ~/.ssh, what's the easiest way of doing that? I have the following in my Vagrant file:

config.vm.synced_folder "conf.d", "/svr/conf.d"
config.vm.provision :shell, 
:inline => "ls -l /svr/conf.d/.ssh"

total 4 -rw-r--r-- 1 vagrant vagrant 1670 Mar 26 08:19 id_rsa.mediapop

config.vm.provision :shell, 
:inline => "cp /svr/conf.d/.ssh/id_rsa.mediapop /home/ubuntu/.ssh/id_rsa"
config.vm.provision :shell, 
:inline => "ls -l /home/ubuntu/.ssh"

total 4 -rw------- 1 ubuntu ubuntu 0 Mar 22 08:56 authorized_keys -rw-r--r-- 1 root root 1670 Mar 26 08:59 id_rsa

but then when I do vagrant ssh -c "ls -l ~/.ssh" I get:

$ vagrant ssh -c "ls -l ~/.ssh"
total 4
-rw-r--r-- 1 vagrant vagrant 409 Mar 20 04:47 authorized_keys

So vagrant is overwriting my .ssh directory.

In nginx.conf:

http { 
    geoip_country /etc/nginx/GeoIP.dat;
    ...
}

If I do:

server{
    ...
    location / {
        add_header X-Geo $geoip_country_code;                   
        add_header X-Geo3 $geoip_country_code3;
        add_header X-IP $remote_addr;
        ...
    }
}

Only X-IP show up in my headers.

$ curl -I www.example.org
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Date: Thu, 17 Jan 2013 19:29:23 GMT
Location: http://www.example.org/login/?next=/
Server: nginx/1.2.2
Vary: Cookie
X-IP: 10.139.34.12
Connection: keep-alive

If I change the location block to:

location / {
    add_header X-Geo "foo";                   
    add_header X-Geo3 "bar";
    add_header X-IP $remote_addr;
    ...
}

The headers show up, how can I get $geoip_country_code?

I'd like to set Cache-Control: no-expire but only on POSTs, what would be the correct way of doing that?

I'm doing a proxy_pass in nginx on port 80 to 8000 on my remote server, and then a port forward from 8000 to 80 from the remote to my localhost. This works great, but I'd also like to do it with https but it seems like nginx needs a valid cert to pass the traffic on.

Is there a way for my remote server to simply forward the trafic from port 443 to say 8443 (and then I'll forward remote 8443 to local 443). Then terminate ssl on my development machine instead instead of needing to do it on the remote server?

My remote runs ubuntu and my localhost runs osx.

I setup stunnel on OSX to tunnel traffic to my Django dev server because Facebook needs HTTPS these days but I noticed it's being absurdly slow. It seems like it can only handle a single connection at a time and even the connection is slow when I'm connecting to localhost. I've tried using some performance tips found online and so my config is setup as:

pid=
# foreground=yes
cert=./cacert.pem
key=./privkey.pem
libwrap=no
debug=0
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[https]
accept=8443
connect=8000

Is there a way to get more performance or more suitable way of setting up HTTPS for my dev server?

I'm not very familiar with Active Directory and I've been trying to figure out if there's log files to check that would list user logins with times to check up on unauthorized access. I'm running Active Directory in windows 2008.

I have a small vps with a minimum install of ubuntu lucid-lynx with about 256mb memory, it's newly installed with nothing special running on it. I'm trying to deploy django to it, while I'm successfully running the server using manage.py, I can't get apache with wsgi working:

# service apache2 start && service apache2 status
* Starting web server apache2                      [ OK ] 
Apache is NOT running.

Erorr log /var/log/apache2/error.log:

[Thu Apr 14 21:17:29 2011] [warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Thu Apr 14 21:17:29 2011] [notice] Apache/2.2.14 (Ubuntu) mod_wsgi/2.8 Python/2.6.5 configured -- resuming normal operations
[Thu Apr 14 21:17:29 2011] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Thu Apr 14 21:17:29 2011] [error] Exception KeyError: KeyError(-1216795792,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
[Thu Apr 14 21:17:29 2011] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Thu Apr 14 21:17:29 2011] [error] Exception KeyError: KeyError(-1216795792,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
[Thu Apr 14 21:17:31 2011] [alert] No active workers found... Apache is exiting!

My apache config file /etc/apache2/httpd.conf:

WSGIScriptAlias / /usr/local/django/deals/apache/django.wsgi

<Directory /usr/local/django/deals/apache>
Order deny,allow
Allow from all
</Directory>

The /usr/local/django/deals/apache/django.wsgi file:

import os
import sys

path = '/usr/local/django/deals'
if path not in sys.path:
    sys.path.append(path)

os.environ['DJANGO_SETTINGS_MODULE'] = 'deals.settings'

import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

Seem to be installed:

# dpkg -l \*apache\* |grep -E '^ii'
ii  apache2                          2.2.14-5ubuntu8.4                        Apache HTTP Server metapackage
ii  apache2-mpm-worker               2.2.14-5ubuntu8.4                        Apache HTTP Server - high speed threaded mod
ii  apache2-utils                    2.2.14-5ubuntu8.4                        utility programs for webservers
ii  apache2.2-bin                    2.2.14-5ubuntu8.4                        Apache HTTP Server common binary files
ii  apache2.2-common                 2.2.14-5ubuntu8.4                        Apache HTTP Server common files
ii  libapache2-mod-wsgi              2.8-2ubuntu1                             Python WSGI adapter module for Apache

I attempted to move my database to a different mount on my Ubuntu installation on an amazon EC2 instance, because it was filling up the root directory. I think I've borked something up. When I run:

$ sudo mysqld --datadir=/var/lib/mysql --user mysql
110412 11:36:44 [Warning] Can't create test file /mnt/var/lib/mysql/ip-10-244-207-161.lower-test
110412 11:36:44 [Warning] Can't create test file /mnt/var/lib/mysql/ip-10-244-207-161.lower-test

In /var/log/mysql/error.log:

110412 16:01:27 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
110412 16:01:27 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
/usr/sbin/mysqld: Can't create/write to file '/mnt/tmp/ibRTnZix' (Errcode: 13)
110412 16:01:27  InnoDB: Error: unable to create temporary file; errno: 13
110412 16:01:27 [ERROR] Plugin 'InnoDB' init function returned error.
110412 16:01:27 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
110412 16:01:27 [ERROR] /usr/sbin/mysqld: Can't create/write to file '/mnt/var/lib/mysql/ip-10-244-207-161.pid' (Errcode: 13)
110412 16:01:27 [ERROR] Can't start server: can't create PID file: Permission denied

The file ip-10-244-207-161.lower-test does not already exist:

ls -l /mnt/var/lib/mysql
total 20532
-rwxr-xr-x 1 mysql root         0 2011-02-28 22:23 debian-5.1.flag
-rwxr-xr-x 1 mysql mysql 10485760 2011-04-12 07:31 ibdata1
-rwxr-xr-x 1 mysql mysql  5242880 2011-04-12 07:31 ib_logfile0
-rwxr-xr-x 1 mysql mysql  5242880 2011-02-28 22:23 ib_logfile1
drwxr-xr-x 2 mysql root      4096 2011-02-28 22:23 mysql
-rwxr-xr-x 1 mysql root         6 2011-02-28 22:23 mysql_upgrade_info
drwxr-xr-x 2 mysql mysql     4096 2011-04-11 08:22 scrapy_cache

The directories seem to be accessable:

$ ls -l /mnt/var/lib/ | grep mysql
drwxr-xr-x 4 mysql mysql 4096 2011-04-12 07:31 mysql

$ ls -l /var/lib/ | grep mysql
lrwxrwxrwx 1 mysql     root      18 2011-04-12 09:05 mysql -> /mnt/var/lib/mysql

ls -ld /mnt/{,var/{,lib/{,mysql}}}
drwxr-xr-x 5 root  root   4096 2011-04-12 07:27 /mnt/
drwxr-xr-x 3 mysql root   4096 2011-04-12 07:29 /mnt/var/
drwxr-xr-x 3 mysql ubuntu 4096 2011-04-12 07:33 /mnt/var/lib/
drwxr-xr-x 4 mysql mysql  4096 2011-04-12 07:31 /mnt/var/lib/mysql

The parts I changed in my.cnf:

user            = mysql
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /mnt/var/lib/mysql
tmpdir          = /mnt/tmp
skip-external-locking

I would really appreciate some help on this as I've failed miserable while trying to debug it.

I did a sudo chown -R mysql /mnt/var/lib/mysql so everything should be owned by the mysql server. /mnt is most certainly writable as I ran mv /var/lib/mysql /mnt/var/lib/ when I migrated. Mount confirms this:

$ mount | grep /mnt
/dev/sda2 on /mnt type ext3 (rw)

The disk is not full in space and it hasn't run out of inodes, disk quota don't seem to be active I installed repquota but it outputted absolutely nothing:

$ df -h /dev/sda2
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             335G  2.0G  316G   1% /mnt

$ df -i /dev/sda2
Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/sda2            44564480     104 44564376    1% /mnt

Creating things as the MySQL user works, as suggested in the comments:

$ su -s /bin/bash - mysql

$ touch /mnt/var/lib/mysql/ip-10-244-207-161.lower-test

$ ls -ld /mnt/var/lib/mysql/ip-10-244-207-161.lower-test
-rw-r--r-- 1 mysql mysql 0 2011-04-12 14:10 /mnt/var/lib/mysql/ip-10-244-207-161.lower-test

$ rm -f /mnt/var/lib/mysql/ip-10-244-207-161.lower-test
$ ls -ld /mnt/var/lib/mysql/ip-10-244-207-161.lower-test
ls: cannot access /mnt/var/lib/mysql/ip-10-244-207-161.lower-test: No such file or directory

MySql isn't running.

$ ps aux | grep mysql
ubuntu   20825  0.0  0.0   3700   776 pts/1    S+   15:40   0:00 grep --color=auto mysql

/etc/mysql/my.cnf

#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
# 
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port        = 3306
socket      = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket      = /var/run/mysqld/mysqld.sock
nice        = 0

[mysqld]
#
# * Basic Settings
#

#
# * IMPORTANT
#   If you make changes to these settings and your system uses apparmor, you may
#   also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
#

user        = mysql
socket      = /var/run/mysqld/mysqld.sock
port        = 3306
basedir     = /usr
datadir     = /mnt/var/lib/mysql
tmpdir      = /mnt/tmp
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address        = 127.0.0.1
#
# * Fine Tuning
#
key_buffer      = 16M
max_allowed_packet  = 16M
thread_stack        = 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover         = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10
#
# * Query Cache Configuration
#
query_cache_limit   = 1M
query_cache_size        = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1

log_error                = /var/log/mysql/error.log

# Here you can see queries with especially long duration
#log_slow_queries   = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id      = 1
#log_bin            = /var/log/mysql/mysql-bin.log
expire_logs_days    = 10
max_binlog_size         = 100M
#binlog_do_db       = include_database_name
#binlog_ignore_db   = include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem



[mysqldump]
quick
quote-names
max_allowed_packet  = 16M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
key_buffer      = 16M

#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/